Managing Service Accounts
Limited access to a Kubernetes cluster can be achieved using Kubernetes service accounts, and the RBAC feature within Kubernetes.
To achieve this, you need to create:
- A Kubernetes service account
- An access role
- Role binding for the Kubernetes service account to use the access role
All authentication with Kubernetes clusters created in GKS is done with bearer tokens. When you create a new Kubernetes service account a secret will be created for it in the same namespace, which will be automatically removed when you delete the Kubernetes service account.
Creating a Kubernetes Service Account
To create a Kubernetes service account, run the following command and replace my-serviceaccount
with the name you want to use for the Kubernetes service account:
kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-serviceaccount
namespace: my-namespace
EOF
The cluster then automatically creates a new access token with a name like my-serviceaccount-token-#####
where the #
s are alphanumeric characters.
To get a list of the tokens in a specific namespace, run:
kubectl get secrets --namespace=my-namespace
Then you can print the token you want to use with the following command and replace $SECRETNAME with the one that has been created for your service account:
kubectl get secret $SECRETNAME -o jsonpath='{.data.token}' --namespace=my-namespace
Provide the token that was printed with the name of the service account to a developer or third party to allow them to interact with the cluster.
At this point the service account can authenticate with the Kubernetes cluster, but is unable to use it. You need to create a role and a role binding to provide permissions to the service account.
Creating Authorization Permissions
Kubernetes has two ways of granting access to service accounts, roles, and cluster roles. Since cluster roles provide access to all namespaces, it is recommended not to use them unless you have to. We provide examples on how to use the namespace-restricted roles here.
Roles explicitly whitelist permissions for users (both human and Kubernetes service accounts). When users have multiple roles they can do anything that is granted by any of the roles.
To create a role, which allows a user to read information about pods in the namespace my-namespace
, use the following command:
kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: my-namespace
name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
EOF
To grant the service account you created earlier to use this role, use the following command to create a role binding:
kubectl create rolebinding read-pods \
--role=pod-reader \
--serviceaccount=my-namespace:my-serviceaccount \
--namespace=my-namespace
For a full list of resources run:
kubectl api-resources
For most resources, the available verbs are:
- get
- list
- watch
- create
- edit
- update
- delete
- exec
More Information
More details are available in the official Kubernetes documentation on controlling access and using roles and role bindings in RBAC.
Summary
In this section you learned how to use the Kubernetes CLI to:
- Create a Kubernetes service account
- Retrieve the automatically generated bearer token for a service account
- Create a new role in Kubernetes RBAC
- Create a role binding to allow the Kubernetes service account to use that role